install the latest service packs and updates onto the server, reinstall the Group Policy Management console, verify permissions on the SYSVOL folder and check DNS for any duplicate entries for your server name.

If that doesn't help, this article has some troubleshooting hints:
Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000http://support.microsoft.com/kb/887303

0

EcoMediaAuthor Commented: 2009-05-21

kgreeneit,

The server has all of the latest service packs and updates. GPM was freshiy installed. DNS was checked. The FQDN works from other workstations on the network that utilize the same DNS server. Permissions on SYSVOL appear to be correct, again accessable by other workstations, just not the server. Host file is clean.

Though you have one DC, look in event logs under FRS to see if you have events in the 13000's. You may have FRS metadata of a server that no longer exists. That could mess up your group policies.

As far as excahnge, it is most likely a DNS issue.

Though your not seeing issues on netdiag or DCdiag, intermittent network connectivity can be a result of SP1 on the server. Someone mentioned that updating to SP2 might help. I think this is the resolution to your problem.

Furthermore, it appears to be a communications problem and might be the software firewall of the server. So, you might check your software firewall, (like Windows Firewall).

0

EcoMediaAuthor Commented: 2009-05-22

ChiefIT,

At this moment there is nothing in the FRS Event log, I don't recall ever seeing anything but informational events.

The SP2 is installed on the server.

Checked the firewall, even tried setting the servers ip dns record to loopback 127.0.0.1

Since this is a ONE server environment and you don't have a replication partner, (also there is no evidence of FRS metadata). I am beginning to believe you have a netbios communications problem for both mail and group policy:

Now, I know I am going to recieve a lot of debate on this because mail client software traditionally contacts the mail server via DNS. However, I am seeing some people use the Netbios name as the host mail server when configuring the Mail client to communicate with the server. So, in other words, if you set up your mail client to contact the server by:

For Mail clients always use the fully qualified domain name as the name for the host mail server instead of just the netbios name of the mail server.

0

EcoMediaAuthor Commented: 2009-05-22

ChiefIT,

I agree we have to look outside the box for this solution. I am not a newbie to technology, been around for over 35 years. However, you guys already have come up with a couple of things I hadn't tried, I appreciate the help.

All of your suggested pings worked from both a client and the server.

The server was running fine until about 4:45pm on the 20th, I picked up the problem via events around 10pm that day. The only change Iogged for that day was the install of WebLog. That was started about 10am and all the reporting scripts and web interface was up and running about 11am. Although I have all the anti-software running it is always possible this is being caused by a virus, at this point who knows.

What I find curious is that upon entering, on a client, "\\ecomediasourcellc\" IE8 starts offering suggestions, basically all of the shares on the server. On the server, starting entering \\eco... only gets your \\ecomedia-dc\sysvol, typing anything past \\ecomedia removes all suggestions. Does anyone know the mechanism used to offer the suggestions, it maybe a lead.

Hi again, sorry about the delay on this one - I've been off the air for te last day or so, came across a similar problem on Windows 2000 a few years ago and was trying to remember what I did to resolve the issue, here's what I found when I tracked through my old customer call logs:

Try the fixes in each of these articles and let me know if it resolves the problem.

0

EcoMediaAuthor Commented: 2009-05-24

Artical 259151 doesn't totally apply to Windows 2003, however, permissions on the pagefile were correct, and pagefile size is reasonable.

Artical 271213. %SystemRoot%\SYSVOL\Domain\Policies appears to be intact and correct. The directory and files are accessable. GPUpdate works with our error on all workstations, but errors on the Server.

I checked the backups, although the entire %SystemRoot% directory and System State are included, the data contained in %SystemRoot%\SYSVOL\Domain\Policies is missing. Another clue?

Very important: Do you have a WINS server??? If so, do you have a WINS proxy??? If neither on both of these, do you have a remote site that netbios broadcasts must go through??

You have a few configurations to make in order for WINS and netbios to work right. Remember DFS shares, and therefor GPOs, are replicated between servers using DNS and then broadcasted out via netbios broadcasts.If you have a flat domain, you could elect to encorporate DFS over DNS and disable netbios all together.

Let me know how you wish to procede:

disable wins proxy?
change node type to mixed? (that would dictate if you are using broadcasts and WINS or just broadcasts)
encorporate DFS over DNS?

"Each Group Policy object (GPO) is stored partly in the Sysvol folder on the domain controller and partly in the Active Directory directory service. GPMC, Group Policy Object Editor, and the old Group Policy user interface that is provided in the Active Directory snap-ins present and manage a GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC sets permissions on objects both in Active Directory and in the Sysvol folder. For each GPO, the permissions in Active Directory must be consistent with the permissions in the Sysvol folder. You must not change these separate objects outside GPMC and Group Policy Object Editor. If you do so, this may cause Group Policy processing on the client to fail, or certain users who generally have access may no longer be able to edit a GPO.

Additionally, file system objects and directory service objects do not have the same available permissions because they are different types of objects. When permissions mismatch, it may not be easy to make them consistent. To help you make sure that the security for the Active Directory and for the Sysvol components of a GPO is consistent, GPMC automatically checks the consistency of the permissions of any GPO when you click the GPO in GPMC. If GPMC detects a problem with a GPO, you receive one of the messages that is described in the "Symptoms" section, depending on whether or not you have permissions to modify security on that GPO"

the fact that your data seems to be missing from backups and the fact that you can't seem to "auto browse" \\dc_name\sysvol share are glaring indicators of permissions issue. This is definitely something you want to take a look at:

Also, confirm you have no "loopback" processing or explicit deny to policies. From a machine that has no problem "seeing" your GPOs, install GPMC and run through RSoP planning tool, filling in required parameters. You may find some further hints.

This is how things work. Group policy is saved on that server you configure it on within the SYSVOL file folder. The FRS (file replication service), replicates the these policies, from one server to its replications partners. Then, netbios broadcasts distributes these files out. I see the node type is netbios broadcasts. However, you have a WINS proxy configured for this. If you don't have a WINS proxy, we need to change that setting and make sure we are not looking for a WINS server that doesn't exist.

Here is the problem with netbios and WINS. Netbios broadcasts are not routeable. That means they will not go through a VPN tunnel, across to a different subnet, to another VLAN, or across NAT. So, if you feel the need to route netbios broadcasts, you may have to enable a WINS connection between the two sites domain master browser. By election, that is typically the PDCe. Some use a WINS proxy to monitor all WINS data coming to and from that LAN.

Looking at the above IPconfig>>>What you are telling this computer is, I am going to a WINS proxy that doesn't even have a WINS server and we are not going to use WINS to communicate with the WINS server. Instead we are using netbios broadcasts. See the problem????

0

EcoMediaAuthor Commented: 2009-06-04

CynepMeH

I tried all of your suggestions and I still have the problem.

ChiefIT

I think I understand what you are saying. This is out of my range of knowledge. Researching the issue has not helped, maybe I don't know exactly what to search for. If you can provide a step by step I will try to correct the issue.

I have to question why the server has been functioning without these errors for about 4 months then suddenly fail?

At this point I'm ready to bring a new server on line, then rebuild this one.

1030 and 1058 give the location of the group policy object. Let's first make sure it exists within the sysvol file folder. You should see the GPT.INI within the file folder location if you follow the path.

Once done, make sure it exists on any other domain replication partners Sysvol file folder. The replication partners should be your other Domain controllers.

Also, how often are these events happening, (every 5 minutes or every 15 minutes)?

One thing you might consider is disabling windows firewall for about 20 mintues, and then seeing if these errors go away. Caution, only do this if you are behind a NAT router or enterprise firewall.

0

EcoMediaAuthor Commented: 2009-06-04

The 1030 and 1058 errors are being logged every 5 minutes

The path exists, but cannot be accessed directly on the server. The path is accessable from all other workstations.

The path: \\EcomediaSourceLLC.local\sysvol\EcomediaSourceLLC.local\Policies\{31...\gpt.ini

From the server you can access:
\\Ecomedia-dc\sysvol\EcomediaSourceLLC.local\Policies\{31...\gpt.ini

There is only one server in the network.

Windows Firewall and ICS is disabled, we are located behind a Firewall appliance.

This means that your servers are unable to replicate the sysvol and netloogon shares between them. Check your Event viewer logs and look in the FRS event logs for errors in the 13000's. If so, you have to reset your replication set. Let me know if these events exist.

Event 13565
Event 13508
Event 13566

Or any other event in event logs.

When recieving 1030 and 1058 every 5 minutes it means the servers are unable to communicate and replicate your sysvol and netlogon shares. You may have a partial repliation set between the servers. A partial replication set is known as JOURNAL WRAP> This is easily fixed but we will have to fix the DNS discrepancies first before fixing Journal Wrap.

Don't let this information get to you. All we want to know now is what errors are in your FRS event logs.

0

EcoMediaAuthor Commented: 2009-06-19

Sorry for the delay, I was out of town on business.

The only entries in the FRS events are:

13501 - FRS Started
13516 - FRS no longer preventing the computer..... from being a DC

13501 - FRS Started
13516 - FRS no longer preventing the computer..... from being a DC

Not to be a pessimist. But, this tells me that FRS was down for a period of time. So, we should figure out why. DNS connections can be intermittent. Do you notice any slowness on the DC when contacting outside websites, maybe even timing out periodically?

0

EcoMediaAuthor Commented: 2009-06-19

Not down for a period of time just a server reboot. These are the messages I get when a server reboot is necessary.

The only thing I have noticed is that IE8 from workstations cannot make the initial internet connection occasionally, But Chrome doesn't seem to have a problem.

To be honest I do not have a lot of experience setting up a DNS server. I would not be surprised it this was the problem. My only doubt is that workstations have no problem accessing sysvol.

Featured Post

Administration of Active Directory does not have to be hard. Too often what should be a simple task is made more difficult than it needs to be.The solution? Hyena from SystemTools Software. With ease-of-use as well as powerful importing and bulk updating capabilities.